IETF Logo Mail Archive

Re: [Tcpcrypt] Initial questions

Joe Touch <touch@isi.edu> Wed, 18 June 2014 21:26 UTC

Return-Path: <touch@isi.edu>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A9DF1A0319 for <tcpcrypt@ietfa.amsl.com>; Wed, 18 Jun 2014 14:26:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.851
X-Spam-Level:
X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MCoEmzHnvS1n for <tcpcrypt@ietfa.amsl.com>; Wed, 18 Jun 2014 14:26:49 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4DBD1A0303 for <tcpcrypt@ietf.org>; Wed, 18 Jun 2014 14:26:49 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id s5ILQZpK010839 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 18 Jun 2014 14:26:35 -0700 (PDT)
Message-ID: <53A2040B.7000804@isi.edu>
Date: Wed, 18 Jun 2014 14:26:35 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Sandy Harris <sandyinchina@gmail.com>, tcpcrypt@ietf.org
References: <CACXcFmmQCgTu6-QLJZdH8Q+ZST97ugoTaUWCUV0S6AWsjvCGfg@mail.gmail.com>
In-Reply-To: <CACXcFmmQCgTu6-QLJZdH8Q+ZST97ugoTaUWCUV0S6AWsjvCGfg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/8OCW_s5cb_OoMQOpY062ukWQhL0
Subject: Re: [Tcpcrypt] Initial questions
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jun 2014 21:26:51 -0000


On 6/18/2014 2:15 PM, Sandy Harris wrote:
> This is basically a fine idea & I'm glad to see people working on it.
>
> Some comments in the archive had me somewhat worried, and the current
> draft charter has the following:
>
> - When encryption is enabled, it must at least provide protection against
>    passive eavesdropping by default,
> ...
> When encryption is enabled, then the protocol:
> - must always provide forward secrecy.
> - must always provide integrity protection of the payload data ...
> - must always provide payload encryption.
>
> Why on Earth do these have "When encryption is enabled"? As others
> have said quite eloquently in various posts, there is no reason at all
> to even consider a null encryption mode; anyone who needs that can
> just fall back to TCP.

That's what "when encryption is enabled" means - i.e., there are (at 
least) two valid modes:

	use TCPCRYPT

	do not use TCPCRYPT

Regardless of what this WG develops, the latter will always need to be 
an alternative. The charter is perhaps being overly pedantic in noting 
that the gains claimed occur only when the methods indicated are in use.

Joe

v2.23.0 | Report a Bug | By Email